tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Certificate based database authentication
Date Fri, 20 Jul 2018 15:12:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 7/10/18 9:03 AM, Will Nordmeyer wrote:
> I have an application in Tomcat 7 that connects to an Oracle
> database. Currently we are connecting using the username/password
> which is embedded in the xml files.  To harden security, we are
> looking at x509 certificate authentication.
> 
> Is there a way to tie a certificate to Tomcat hand have them 
> authenticate that way?

Your point is well-taken that sometimes the Tomcat users' mailing list
is a better resource than many others. If you are asking a question
you know to be off-topic, please tag it with the [OT] moniker. It
changes nothing, but at least acknowledges that you are asking
something that is not Tomcat-specific.

I don't know about Oracle Server specifically, but this is how we do
things for MySQL/MariaDB in our application's META-INF/context.xml file:

   <Resource
        ...[redacted configuration]...
	url="jdbc:mysql://host:port/database?characterEncoding=utf8&amp;dumpQue
riesOnException=true&amp;zeroDateTimeBehavior=convertToNull&amp;useServe
rPrepStmts=false&amp;useSSL=true&amp;requireSSL=true&amp;trustCertificat
eKeyStoreUrl=file:/path/to/keystore.jks&amp;trustCertificateKeyStorePass
word=supersecret"
    />

So the URL for connecting to the MySQL driver has parameters which
control how the authentication is set up.

Note that the password for the keystore is right there in the
configuration. There's really nothing you can do about that[1]. Make
sure that your file-based security policy is sane, and that only the
Tomcat server process can read that file.

Looking at Oracle's documentation[2], I don't see anything in
particular for how to configure a connection to use TLS *at all* let
alone mutually-authenticated connections.

There is a PDF whitepaper[3] that I found that might be helpful. Let
us know if you have any success with any of that.

Note that */I/ highly recommend* that all database connections from
Java (and other) applications utilize mutual-authentication wherever
possible, so I'm happy to hear about people implementing such security
controls. Keep up the good work.

- -chris

[1] https://wiki.apache.org/tomcat/FAQ/Password
[2]
https://docs.oracle.com/cd/E13222_01/wls/docs81/jdbc_drivers/oracle.html
[3]
http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.
pdf
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIyBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltR++cACgkQHPApP6U8
pFj+lA/4zyI+Rn9No7/jIrU8Oq64akhaQAxFO0Lk7q59s/SwIuIQ1shR6V4XjMCS
8+1wbuv8r30kxjjSQqioIrmkUH9/gt3DjWn4ZhUzUrEHBSWSzWzlIWc/C87hP7zr
2VLksCtNUHDZ4NzXzaS4pHVrWc/NnCeUhzlLjKsHaGXVC94dFUHHnXqmG2LkQXCG
95V0P0nT6DaHMtYJ7gqj+j+Toh8Q4Ryr0jFJ9owWeTu0eiXfp01lk5TpjR3raPRp
CfcVopxTUjpZo7RzhsQhqT8GgOTBHzMzDSmIwLWDUpcRTCvRFtYL3fz6WB7ojih8
HpX5JD+uAST6w9ANMln4fpP2/B4qUMq0wnCbHqOJoqNc0u0xjamX+coRKre1ORSG
LcCLvzBeuEtct/j8WXqeOyjELv/YZDtvWzgkojR1Ia1G761Q5+ZMamcdx6mJqZ6L
epe3bT9FNY3vN+VMHA/5YG1ospcJThUzBFgNQNQgtgqFRvu3sTAAJZeUgwWgZchI
QznHCs20953v33QxuNoETgTC2s2USS+8NrlXCj6bkum2FlD84sKnbpAydoYz2Z1f
aZJU0sH2ubnJGZhzt2PVaFAT0oR7Sg7E7F3KX0GZuR63BFteBvGubIJm8krfXioA
JPZ8cCNDv+z9u9mQUW2b2O2tRfy/8Sz0lCXGgmQHZRQgbH3riQ==
=APd6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message